Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
0
Helpful
4
Replies

Setup additional IP space on PIX outside interface

dsc_tech_1
Level 1
Level 1

‎10-08-2009 06:39 AM

We have been assigned a new block of IPs xxx.xxx.69.0/28 in different range to our existing ips xxx.xxx.94.145/28. The new block is being routed directly to our existing outside interface xxx.xxx.94.146. I would like to add this new block to the outside interface then NAT the addresses to private internal networks like we do at present for xxx.xxx.94.146/28 to 192.168.101.0/24.

Is this possible on a PIX 515 Restricted Version 7.0(7)?

Do I need a new interface/sub interface?

Can I do it without a VLAN our switches don't support them?

Any help much appreciated

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎10-08-2009 07:21 AM

Hi, you do not need to create another interface , if the new ip block is being routed through your existing ISP and as long your ISP is pointing/routing the new IP block back to your ASA outside interface that is enough to start using new ip block in asa , you simply create your NAT in the firewall.

Regards

Jorge Rodriguez
0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to JORGE RODRIGUEZ

‎10-08-2009 06:26 PM

David, are you all set with your inquiry, if you need further assistance on setting up your new Ip block in your firewall let us know..

Regards

Jorge Rodriguez
0 Helpful

dsc_tech_1
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎10-09-2009 01:23 AM

> you simply create your NAT in the firewall.

Ok. We currently have the following NAT.

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Does that mean I can just add static mappings from outside to inside using the new public range?

Do I need to change the nat config?

I will up the logging and start testing.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to dsc_tech_1

‎10-09-2009 03:02 AM

Does that mean I can just add static mappings from outside to inside using the new public range?

Yes, in your new range xxx.xxx.69.0/28 you'll have 14 addresses, depening on what your requirements are, you can utilize them either as NAT pools or static mappings for your servers..

for example

you already have global(outside) 1 interface and na (inside) 1 0 0 PATing your inside users with global interface IP, now on your new ip block you can create new static nats:

static (inside,outside ) pub_ip private ip etc..

for eaxmple you can create new PAT pool using to or three IPs from your new IP block range for outbound connections , and have certain inside subnets use that pool

e.i

global (outside) 2 xxx.xxx.69.1-xxx.xxx.69.3

nat (inside) 2

or have another PAT using single addres beide your outside interface and have just dmz network use that new PAT instead of outside interface.

global (outside) 3 xxx.xxx.69.4

nat (dmz) 3

Regards

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents